Advisories for Gem/Phlex package

During a security audit conducted with Claude Opus 4.6 and GPT-5.3-Codex, we identified three specific ways to bypass the XSS (cross-site-scripting) protection built into Phlex. The first bypass could happen if user-provided attributes with string keys were splatted into HTML tag, e.g. div(**user_attributes). The second bypass could happen if user-provided tag names were passed to the tag method, e.g. tag(some_tag_name_from_user). The third bypass could happen if user’s links were passed …

There is a potential cross-site scripting (XSS) vulnerability that can be exploited via maliciously crafted user data. The reason these issues were not detected before is the escapes were working as designed. However, their design didn't take into account just how recklessly permissive browser are when it comes to executing unsafe JavaScript via HTML attributes.

This advisory duplicates another.

There is a potential cross-site scripting (XSS) vulnerability that can be exploited via maliciously crafted user data. Our filter to detect and prevent the use of the javascript: URL scheme in the href attribute of an <a> tag could be bypassed with tab \t or newline \n characters between the characters of the protocol, e.g. java\tscript:.

There is a potential cross-site scripting (XSS) vulnerability that can be exploited via maliciously crafted user data. This was due to improper case-sensitivity in the code that was meant to prevent these attacks. Impact If you render an <a> tag with an href attribute set to a user-provided link, that link could potentially execute JavaScript when clicked by another user. a(href: user_profile) { "Profile" } If you splat user-provided attributes …